How GDPR enforcement promotes development of digital ID

Regulators are handing out fines for GDPR violations, that while relatively small can have a large impact on the push for sharable identity by drawing attention to how large companies use data.

The largest fine to date came Tuesday, when the French data protection agency CNIL fined Google about $57 million for not meeting GDPR responsibilities when onboarding Android users. The technology giant didn’t provide adequate information about data consent policies and not did it give enough control to consumers over data usage, CNIL said, adding Google has not yet fixed these violations.

GDPR, which went into effect in May 2018, is a European regulation that is expected to have a global impact since many U.S. companies do business in Europe. There’s also a trend toward protecting consumer data, given the spat of data breaches in recent years and concerns about large card issuers and other institutions having centralized control over data.

Bloomberg News

These concerns are pushing digital ID and other forms of portable authentication. Much of the technology, such as blockchain, decentralizes consumer access and thus gives users more control over data. That would lessen the ability of large corporations to analyze consumer data without consumers being more involved in the opt out process.

“The influence of GDPR is definitely helping to bring these issues to the forefront. Issuing fines to big, well-known companies like Google is one major way that consumers will hear about these issues,” said Gee Chuang, co-founder of Listia, a Sunnyvale, Calif.-based digital marketplace. “As more consumers start thinking about data ownership and the concept of owning your own digital ID, companies and services will feel increased pressure to shift to a more decentralized model. Users will start to demand that companies let them own their own identity and reputation.”

The GDPR fines are more of a reminder of the debate between centralized and decentralized data control than a financial burden, particularly since it’s not the first time in recent months Google has found itself on the critical side of a data issue.

Google did not answer questions on if it planned an appeal or an update to its compliance technology. In an email, Google’s public relations office said: “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

These fines aren’t large for a company like Google, though the levy is substantial when localized to France. The French CNIL based its fine amount on Google’s activity in France, which is about 15 percent of Google France’s 2017 net sales of about $370 million in 2017. Under GDPR’s fine cap of 4 percent of yearly net sales, regulators could have fined Google more than $3 billion based on Google’s overall net sales of about $93 billion in 2017. The CNIL could not be reached for comment.

Google reportedly paid millions of dollars to Mastercard as part of a data sharing agreement. The companies were criticized after the deal, though both Google and Mastercard say they have opt-out agreements for data usage and pushed back against media characterizations of a data sharing deal. However, the relationship is expected to inspire a fierce data battle among large card companies, search companies, merchants and financial institutions to optimize the marketing and cross-selling power of data.

“Fines will certainly help to keep focus, but the trend to digital ID is a more general one,” said Ron van Wezel, a senior analyst at Aite Group, adding one of the objectives of GDPR is to give people more control over their data. “That applies to how data is used, and for which purpose…digital identities can help securely authenticate customers and give them control.”

The expansion of alternatives to Google could also push digital ID and decentralized data sharing in addition to GDPR compliance pressure.

“If Microsoft and Apple implemented competitive products that leverage a self-sovereign environment, that could move the market much faster,” said Tim Sloane, vice president of payments innovation at Mercator Advisory Group, adding large internet companies won’t change their data control strategy quickly given the impact on revenue. “Even better would be a solution similar to Sovrin which enables the exchange of value in return for the release of personal information.”